summaryrefslogtreecommitdiffstats
path: root/services/auth/source/ldap/README.md
blob: 34c811703f6504cbad11a3536276730d868ac980 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Gitea LDAP Authentication Module

## About

This authentication module attempts to authorize and authenticate a user
against an LDAP server. It provides two methods of authentication: LDAP via
BindDN, and LDAP simple authentication.

LDAP via BindDN functions like most LDAP authentication systems. First, it
queries the LDAP server using a Bind DN and searches for the user that is
attempting to sign in. If the user is found, the module attempts to bind to the
server using the user's supplied credentials. If this succeeds, the user has
been authenticated, and his account information is retrieved and passed to the
Gogs login infrastructure.

LDAP simple authentication does not utilize a Bind DN. Instead, it binds
directly with the LDAP server using the user's supplied credentials. If the bind
succeeds and no filter rules out the user, the user is authenticated.

LDAP via BindDN is recommended for most users. By using a Bind DN, the server
can perform authorization by restricting which entries the Bind DN account can
read. Further, using a Bind DN with reduced permissions can reduce security risk
in the face of application bugs.

## Usage

To use this module, add an LDAP authentication source via the Authentications
section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP
share the following fields:

* Authorization Name **(required)**
  * A name to assign to the new method of authorization.

* Host **(required)**
  * The address where the LDAP server can be reached.
  * Example: mydomain.com

* Port **(required)**
  * The port to use when connecting to the server.
  * Example: 636

* Enable TLS Encryption (optional)
  * Whether to use TLS when connecting to the LDAP server.

* Admin Filter (optional)
  * An LDAP filter specifying if a user should be given administrator
      privileges. If a user accounts passes the filter, the user will be
      privileged as an administrator.
  * Example: (objectClass=adminAccount)

* First name attribute (optional)
  * The attribute of the user's LDAP record containing the user's first name.
      This will be used to populate their account information.
  * Example: givenName

* Surname attribute (optional)
  * The attribute of the user's LDAP record containing the user's surname This
      will be used to populate their account information.
  * Example: sn

* E-mail attribute **(required)**
  * The attribute of the user's LDAP record containing the user's email
      address. This will be used to populate their account information.
  * Example: mail

**LDAP via BindDN** adds the following fields:

* Bind DN (optional)
  * The DN to bind to the LDAP server with when searching for the user. This
      may be left blank to perform an anonymous search.
  * Example: cn=Search,dc=mydomain,dc=com

* Bind Password (optional)
  * The password for the Bind DN specified above, if any. _Note: The password
      is stored in plaintext at the server. As such, ensure that your Bind DN
      has as few privileges as possible._

* User Search Base **(required)**
  * The LDAP base at which user accounts will be searched for.
  * Example: ou=Users,dc=mydomain,dc=com

* User Filter **(required)**
  * An LDAP filter declaring how to find the user record that is attempting to
      authenticate. The '%[1]s' matching parameter will be substituted with the
      user's username.
  * Example: (&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))

**LDAP using simple auth** adds the following fields:

* User DN **(required)**
  * A template to use as the user's DN. The `%s` matching parameter will be
      substituted with the user's username.
  * Example: cn=%s,ou=Users,dc=mydomain,dc=com
  * Example: uid=%s,ou=Users,dc=mydomain,dc=com

* User Search Base (optional)
  * The LDAP base at which user accounts will be searched for.
  * Example: ou=Users,dc=mydomain,dc=com

* User Filter **(required)**
  * An LDAP filter declaring when a user should be allowed to log in. The `%[1]s`
      matching parameter will be substituted with the user's username.
  * Example: (&(objectClass=posixAccount)(|(cn=%[1]s)(mail=%[1]s)))
  * Example: (&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))

**Verify group membership in LDAP** uses the following fields:

* Group Search Base (optional)
  * The LDAP DN used for groups.
  * Example: ou=group,dc=mydomain,dc=com

* Group Name Filter (optional)
  * An LDAP filter declaring how to find valid groups in the above DN.
  * Example: (|(cn=gitea_users)(cn=admins))

* User Attribute in Group (optional)
  * The user attribute that is used to reference a user in the group object.
  * Example: uid if the group objects contains a member: bender and the user object contains a uid: bender.
  * Example: dn if the group object contains a member: uid=bender,ou=users,dc=planetexpress,dc=com.

* Group Attribute for User (optional)
  * The attribute of the group object that lists/contains the group members.
  * Example: memberUid or member

* Team group map (optional)
  * Automatically add users to Organization teams, depending on LDAP group memberships.
  * Note: this function only adds users to teams, it never removes users.
  * Example: {"cn=MyGroup,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2", ...], ...}, ...}

* Team group map removal (optional)
  * If set to true, users will be removed from teams if they are not members of the corresponding group.